chore(rulesets): relocate code-quality + pr-quality to standards/rulesets/ (#575)#577
Conversation
…/rulesets/ (#575) Move the org-wide compliance ruleset source of truth into its canonical home in petry-projects/.github. `.github` owns org-wide standards and compliance policy; `.github-private` is scoped to agents/skills and their assets (repo boundary codified in #576). - Add standards/rulesets/{code-quality,pr-quality}.json — byte-identical to the current .github-private/.github/rulesets/ copies (the 4-check code-quality set; NO coverage/secret-scan additions, which are sequenced separately to avoid bricking fleet repos that don't yet produce those checks). - Add standards/rulesets/README.md documenting source-of-truth, the scope boundary (release-channel-tags stays in .github-private), and the safe-sequencing rule for required-check additions. - github-settings.md: add a "Source of truth" pointer to standards/rulesets/. - AGENTS.md: add a Rulesets row to the Organization Standards index. The tooling repoint (apply-rulesets.sh + bootstrap-new-repo.sh) and removal of the JSONs from .github-private land in a follow-up PR against .github-private, which must merge after this one. Part of #575. Follows #576. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Review limit reached
Next review available in: 58 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (5)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dev-Lead — review-changes (no-changes)No changes were needed for this PR. |
There was a problem hiding this comment.
Code Review
This pull request introduces codified source-of-truth JSON configurations for org-wide GitHub repository rulesets (pr-quality and code-quality) under standards/rulesets/, along with documentation and references in AGENTS.md and standards/github-settings.md. Feedback on the changes points out an incorrect example command in the README that would fail to run, and a discrepancy in pr-quality.json where require_last_push_approval is set to false instead of true as required by the documented standard.
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
There was a problem hiding this comment.
Pull request overview
Relocates the codified org-wide compliance ruleset JSONs into standards/rulesets/ in petry-projects/.github and updates standards documentation to treat this repo as the canonical source of truth (as part of the #575 migration series).
Changes:
- Added
standards/rulesets/withcode-quality.json,pr-quality.json, and a README describing scope and sequencing guidance. - Updated
standards/github-settings.mdto point tostandards/rulesets/as the source of truth. - Updated
AGENTS.mdto includestandards/rulesets/in the Organization Standards index.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| standards/rulesets/README.md | Documents the ruleset JSON source-of-truth location, scope boundary, and required-check sequencing guidance. |
| standards/rulesets/pr-quality.json | Adds the codified pr-quality ruleset JSON to the canonical location. |
| standards/rulesets/code-quality.json | Adds the codified code-quality ruleset JSON to the canonical location. |
| standards/github-settings.md | Adds a “Source of truth” pointer to the new canonical ruleset JSON location. |
| AGENTS.md | Adds a “Rulesets” row linking to the new canonical ruleset directory. |
…ed code-quality (#575) (#579) * docs(github-settings): reconcile §243 required-checks table to codified code-quality (#575) The required-checks table claimed Coverage + Secret Scan + Dev-Lead Agent as required "All repos" while omitting agent-shield + dependency-audit — out of sync with the codified standards/rulesets/code-quality.json (4 contexts). Reconcile to the codified set and document the safe sequencing. - Point the section at standards/rulesets/code-quality.json as the source of truth. - Required (codified): SonarCloud, CodeQL, agent-shield/AgentShield, dependency-audit/Detect ecosystems (note: only the unconditional Detect job). - Reclassify: Secret Scan + Coverage → template/new repos, NOT yet fleet-wide (added to the ruleset only after a coverage backfill — requiring them now bricks repos lacking the jobs); Dev-Lead Agent → not a required context (per-PR review; requiring it deadlocks workflow-touching PRs); CI Pipeline → repo-specific. - Add a "Sequencing" note explaining why Secret Scan + Coverage are staged. Docs-only; markdownlint clean. Depends on #577 (adds standards/rulesets/). Part of #575 (folded-in from closed #1001). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(reviews): address review comments [skip ci-relay] * fix(reviews): address review comments [skip ci-relay] * chore: dev-lead update (review-changes) [skip ci-relay] --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Co-authored-by: donpetry-bot <281750570+donpetry-bot@users.noreply.github.com>
Superseded by automated re-review at
|
…with org policy (#575) (#582) The codified pr-quality had require_last_push_approval=false, baked in when the file was authored (#972). That contradicts the org's actual policy: the meta-repos (.github, .github-private) and newer repos (TalkTerm, google-app-scripts) already enforce require_last_push_approval=true live, and #895 verified auto-rebase's update-branch is EXEMPT from last-push-approval (so enabling it does not fight the auto-rebase flow). Set the codified source of truth to true. Blast radius on next apply-rulesets run: tightens the three drifted repos still at false (ContentTwin, markets, broodly); no-op on the four already at true. Stacked on #577 (the relocation). Resolves the pr-quality file-vs-live drift flagged in petry-projects/.github-private#1013. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Dev-Lead — review-changes (applied)Changes committed and pushed. |
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
donpetry-bot
left a comment
There was a problem hiding this comment.
Automated review — APPROVED ✓
Risk: MEDIUM
Reviewed commit: e75495649ff640fb2aec27ace087df702773957b
Review mode: triage-approved (single reviewer)
Summary
Relocates the org-wide compliance ruleset source of truth (code-quality.json, pr-quality.json) into standards/rulesets/ in petry-projects/.github, plus README and docs pointers (126 additions, 0 deletions, 5 files). Implements AC #1 (partial) and AC #4 of #575. Both major findings from the prior review cycle (sha 75d3839) are resolved: the broken/unsafe README example command now reads 'GH_TOKEN= bash scripts/apply-rulesets.sh --dry-run', and require_last_push_approval was flipped to true to match the documented standard (github-settings.md). All 5 review threads resolved, all CI green, CodeRabbit approved.
Linked issue analysis
No closingIssuesReferences, but the PR body explicitly implements AC #1 (partial: the .github side) and AC #4 (docs refs) of #575, which calls for relocating the compliance ruleset JSONs from .github-private to .github/standards/rulesets/ as their canonical home. The PR is step 1 of a documented sequence (this PR → .github-private git-rm + applier repoint → docs reconcile), so the issue correctly stays open. Scope matches the issue; the repo-boundary rationale cites #576. Substantively addressed for this PR's declared slice.
Findings
- resolved (prior major): README example command — now the safe, correct invocation
GH_TOKEN=<admin-token> bash scripts/apply-rulesets.sh <repo> --dry-run(verified in the diff). The earlier RULESETS_REPO/DRY_RUN env-var form that silently ignored dry-run is gone. - resolved (prior major):
require_last_push_approvalcontradiction — commit 0dc0f02 flipped it totruein pr-quality.json, matching the documented standard in standards/github-settings.md ('Require last push approval | Yes'). Verified the .github-private origin still hasfalse, so the relocated copy intentionally diverges on exactly this one field. - info: Consequence of the fix above: the PR-body claim of 'byte-identical' now holds for code-quality.json (verified byte-identical against the .github-private original) but not for pr-quality.json (one intentional field change). The sequenced applier-repoint dry-run will show drift on that field, and once the applier runs, live rulesets will gain require-last-push-approval — a desired convergence to the written standard, but no longer strictly 'no behavior change'. Worth one line in the follow-up PR; not blocking.
- info: New README correctly documents the fleet-brick hazard of adding required-check contexts (coverage/gitleaks deliberately excluded, sequenced later) and the release-channel-tags scope boundary. Bypass actors in both JSONs are unchanged from the originals (OrganizationAdmin + Integration 3167543).
- info: run_secret_scanning MCP tool not available in this environment; skipped. Diff is JSON config + Markdown only — no credentials, tokens, or .env content; Secret scan (gitleaks) CI check is green.
- note: mergeStateStatus is BEHIND — branch needs an update onto main before merge (strict status checks). Non-blocking for review.
CI status
All merge-gating checks green at e754956: SonarCloud, CodeQL, agent-shield / AgentShield, dependency-audit / Detect ecosystems, Lint, ShellCheck, Secret scan (gitleaks), npm audit, Agent Security Scan, CodeRabbit. CANCELLED/SKIPPED entries are dev-lead dispatch/ci-relay agent jobs (last commit is tagged [skip ci-relay]) and inapplicable ecosystem audits — not merge gates.
Reviewed automatically by the PR-review agent (single-reviewer mode: fable 5). Reply if you need a human review.
|
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |



Summary
Relocates the org-wide compliance ruleset source of truth (
code-quality.json,pr-quality.json) into its canonical homestandards/rulesets/here inpetry-projects/.github..githubowns org-wide standards and compliance policy;.github-privateis scoped to agents/skills. Repo boundary codified in #576.Implements AC #1 (partial: the
.githubside) and AC #4 (docs refs) of #575.What's here (PR 1 of the series — no behavior change)
standards/rulesets/{code-quality,pr-quality}.json— byte-identical to the current.github-private/.github/rulesets/copies. This is the 4-checkcode-qualityset (SonarCloud, CodeQL, agent-shield, dependency-audit). It deliberately does not include thecoverage/Secret scan (gitleaks)contexts — adding those fleet-wide would brick every repo that doesn't yet produce them (the Copilot finding that triggered Relocate org-wide compliance rulesets (code-quality, pr-quality) from .github-private to .github/standards/rulesets/ #575). Those are sequenced in a later fold-in PR.standards/rulesets/README.md— source-of-truth, scope boundary (release-channel-tagsstays in.github-private), and the safe-sequencing rule for required-check additions.github-settings.md— a Source of truth pointer tostandards/rulesets/.AGENTS.md— a Rulesets row in the Organization Standards index.Migration safety
Rulesets live on each repo; moving the source JSON changes no live ruleset. The relocated files are verified byte-identical to the
.github-privateoriginals (the applier PUTs the file verbatim, so the payload is unchanged). Proof of the no-drift--dry-runlands with the applier repoint.Sequencing (must merge first)
.github.github-privategit rmthe two JSONs, repointapply-rulesets.sh+bootstrap-new-repo.shto resolve fleet rulesets from here, update tests.githubci.yml(secret-scan + coverage) + seed.gitleaks.toml.githubgithub-settings.md§243 reconcileThe
.github-privatefollow-up must merge after this so the applier's new source location exists.Part of #575. Follows #576.
🤖 Generated with Claude Code